14 DAY TRIAL // Pieces of malware designed to target the nuclear sectors and other critical infrastructures of various countries are usually highly sophisticated. However, as researchers from Norman learned, not all of them are created by mad geniuses.
The experts have come across a malicious element in an email sent to Areva - a French multinational industrial conglomerate mainly known for its interest in nuclear power and other energy projects.
The email analyzed by researchers came with an executable that extracted a number of family photographs, and iTunes file and a PDF file. While the images were likely stolen from the computer of an unwitting user, the PDF actually contained a scanned printout of an internal email from Areva-NC in Normandie.
The information it contained wasn’t of major importance, but it clearly showed that the Areva wasn’t a random target.
The malware itself is actually the Dark Comet Remote Administration Tool, the one that has been utilized on numerous occasions in malicious campaigns.
However, the interesting thing is that the attack can’t cause any damage to devices because the application is not properly configured.
Snorre Fagerland, principal security researcher in the Malware Detection Team (MDT) at Norman, explains that the Trojan is just installed, but it’s never executed. Furthermore, it’s not properly configured, the overall file is very large (around 30 MB), and the iTunes file is empty and doesn’t contain any malicious code.
Fagerland believes that there are three possible scenarios: the attack is real but it doesn’t work because the Trojan is misconfigured, it may only be a test build, or it’s simply meant to confuse researchers.
“There is another theory, which I have to consider but don’t know whether to laugh or cry over: It is possible that the attacker has by accident included not only his ‘attack files’ - the AREVA PDF and the failed DarkComet – but somehow managed to include other files. Like for example a whole folder. Which may have contained his own family pictures,” he explained.